isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
12,685 Commits 1 Branch 0 Tags
e3edd7a09a7b9bb33fceec15ce720f68f57811f0
Commit Graph

96 Commits

Author SHA1 Message Date
Todd C. Miller
e343e07543 Use #include <foo.h> instead of #include "foo.h" in most cases. 
We rely on the include path to find many of these headers.  It
especially doesn't make sense to use #include "foo.h" for headers
in the top-level include directory.
 2023-09-25 10:13:28 -06:00
Todd C. Miller
28a13501d8 Merge check_user() and check_user_interactive(), move getpass callbacks. 
The getpass callbacks are now defined in sudo_auth.c, which implements
auth_getpass().  As a result, struct getpass_closure is now public
and defined in timestamp.h.
 2023-09-09 14:07:11 -06:00
Todd C. Miller
0495afac57 Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}. 2023-09-09 14:07:07 -06:00
Todd C. Miller
7873f8334c Try to make sudo less vulnerable to ROWHAMMER attacks. 
We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS,
AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE.  In addition, we
explicitly test for expected values instead of using a negated test
against an error value.  In the parser match functions this means
explicitly checking for ALLOW or DENY instead of accepting anything
that is not set to UNSPEC.

Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk
Sunar, all affiliated with the Vernam Applied Cryptography and
Cybersecurity Lab at Worcester Polytechnic Institute, for the report.
Paper preprint: https://arxiv.org/abs/2309.02545
 2023-09-09 14:07:04 -06:00
Todd C. Miller
75209e2718 Rename check.h -> timestamp.h and add remaining timestamp.c prototypes. 2023-08-29 11:16:23 -06:00
Todd C. Miller
8cd0d74fbb Restore AUTH_INTR support, it is still needed. 
We still need AUTH_INTR to know when to break out of the password
prompt loop.
 2023-08-29 10:02:09 -06:00
Todd C. Miller
c858acc481 Rename AUTH_FATAL -> AUTH_ERROR. 2023-08-26 10:45:29 -06:00
Todd C. Miller
bae716642c Replace AUTH_INTR return with AUTH_FAILURE. 
The two were treated identically by the caller.
 2023-08-26 10:08:32 -06:00
Todd C. Miller
837da1bef0 Move NewArgv, NewArgc and saved_argv into struct sudoers_context. 2023-08-21 09:22:24 -06:00
Todd C. Miller
2440174954 Make struct sudoers_context private to sudoers.c. 
We now pass a pointer to the context where necessary.  There are a
few cases where we need to request the context from sudoers via
sudoers_get_context() for the plugin API functions.  If the plugin
API was able to pass around a closure pointer this would not be
necessary.
 2023-08-21 09:21:49 -06:00
Todd C. Miller
cbcb1d2506 sudoers plugin: make more bit flags unsigned. 2023-07-10 11:06:23 -06:00
Todd C. Miller
a38b714667 sudoers plugin: silence most -Wconversion warnings. 2023-07-07 15:07:04 -06:00
Todd C. Miller
2911c31dd7 Display the lecture immediately before prompting for a password. 
This means we no longer display the lecture unless the user is going
to enter a password.  Authentication methods that don't interact
with the user via the terminal don't trigger the lecture.
 2022-02-21 19:34:06 -07:00
Todd C. Miller
a2d27bc9ec Fix return value for non-interactive mode for non-standalone auth methods. 
AUTH_NONINTERACTIVE was being stored in the wrong variable.
 2022-01-05 16:41:19 -07:00
Todd C. Miller
72989bf83f Quiet two PVS-studio warnings. 2022-01-05 11:04:18 -07:00
Todd C. Miller
521ef37aea Push non-interactive mode checking down into the auth methods. 
For "sudo -n" we only want to reject a command if user input is
actually required.  In the case of PAM at least, we may not need
to interact with the user.  Bug #956, GitHub issue #83
 2022-01-04 18:57:36 -07:00
Todd C. Miller
ce97ca28db Use OpenBSD-compatible freezero() in place of explicit_bzero() + free() 2020-08-10 19:24:33 -06:00
Todd C. Miller
cef6e3687e Switch from memset_s() -> explicit_bzero(). 
memset_s() (and all of Annex K) is likely to be removed from the
a future version of the standard.
 2020-08-10 19:24:32 -06:00
Todd C. Miller
b519481912 Defer logging of the successful command until approval plugins have run. 
This adds audit plugin support to the sudoers module, currently
only used for accept events.  As a result, the sudoers file is now
initially parsed as an audit plugin.
 2020-06-02 09:07:46 -06:00
Todd C. Miller
446ae3f507 Include string.h unconditionally and only use strings.h for strn?casecmp() 
In the pre-POSIX days BSD had strings.h, not string.h.
Now strings.h is only used for non-ANSI string functions.
 2020-05-18 07:59:24 -06:00
Todd C. Miller
ec3fdd3aa8 Add a force flag to sudo_auth_cleanup() to force immediate cleanup. 
This is used for PAM authentication to make sure pam_end() is called
via sudo_auth_cleanup() when the user authenticates successfully but
sudoers denies the command.  Debian bug #669687
 2020-04-01 14:41:38 -06:00
Todd C. Miller
486ee2b71f debug_decl and debug_decl_vars now require a semicolon at the end. 2019-12-22 08:48:16 -07:00
Todd C. Miller
972670bfca Use the SUDO_CONV_PREFER_TTY flag during authentication. 
This prevents the password and PAM prompts from being redirected.
Bug #895
 2019-08-26 19:30:11 -06:00
Todd C. Miller
1e1ef61902 Add SPDX-License-Identifier to files. 2019-04-29 07:21:51 -06:00
Todd C. Miller
6c3d20cb41 Convert PVS-Studio comment to ANSI C. 2018-10-26 08:39:09 -06:00
Todd C. Miller
64e5d34c57 Add comments in .c files so PVS-Studio will check them. 2018-10-21 08:46:05 -06:00
Todd C. Miller
394524fd5d Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors from 
pam_acct_mgmt() if authentication is disabled for the user.
Bug #843
 2018-07-26 12:31:29 -06:00
Todd C. Miller
43003d29d8 Use arc4random for mkstemp() and insults. 2018-05-24 21:04:23 -06:00
Todd C. Miller
4c0c225062 Store passwd_timeout and timestamp_timeout as a struct timespec 
instead of as a float.  Remove timeout argument to auth_getpass()
as it was never used.
 2018-01-22 12:18:48 -07:00
Todd C. Miller
594c2d4efd Add an approval function to the sudo auth API which is run after 
the user's password has been verified.  The approval function is
run even if no password is required.  This is currently only used
for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
 2018-01-16 10:27:58 -07:00
Todd C. Miller
48fba3c2cc update my email to Todd.Miller@sudo.ws 2017-12-03 17:53:40 -07:00
Todd C. Miller
7db97c7835 Avoid a clang analyzer false positive. 2017-05-12 10:02:18 -06:00
Todd C. Miller
d979898e71 Remove use of non-standard sigaction_t 2017-05-12 10:02:18 -06:00
Todd C. Miller
3f022419ae Be consistent with the naming of the variable used to store the 
function return value.  Previously, some code used "rval", some
used "ret".  This standardizes on "ret" and uses "rc" for temporary
return codes.
 2016-09-08 16:38:08 -06:00
Todd C. Miller
b9dde14808 No need to set pass to NULL after freeing at the end of the loop 
it since it is already set to NULL each time through the loop.
 2016-05-16 10:18:31 -06:00
Todd C. Miller
873d5cc5ff Try to deconfuse static analyzers a bit. 2016-01-27 16:19:22 -07:00
Todd C. Miller
ab11cdde2c auth_getpass() returns a dynamically allocated copy of the plaintext 
password which needs to be freed after checking (and clearing) it.
 2016-01-27 15:36:50 -07:00
Todd C. Miller
2ecda6d65c Use the auth_getpass (and the plugin conversation fuction) for Tru64 
SIA.  This prevents sudo from sleeping while holding the tty ticket
lock.
 2015-10-06 10:25:53 -06:00
Todd C. Miller
98a15d9879 Add a struct sudo_conv_callback that contains on_suspend and on_resume 
function pointer args plus a closure pointer and at it to the
conversation function.
 2015-09-07 06:06:08 -06:00
Todd C. Miller
2b6085760c In sudo_pam_begin_session() and sudo_pam_end_session() return 
AUTH_FATAL on error, not AUTH_FAILURE.  In sudo_auth_begin_session()
treat anything other than AUTH_SUCCESS as a fatal error.
 2015-08-10 20:17:02 -06:00
Todd C. Miller
0b241088b3 There's no need to conditionalize the #include <unistd.h>, we require 
a POSIX system.
 2015-07-02 09:08:28 -06:00
Todd C. Miller
4a07b472f0 Only include stddef.h where it is needed. 2015-06-20 05:34:35 -06:00
Todd C. Miller
dc883f2454 We require ANSI C so stop using the obsolete STDC_HEADERS. 2015-06-19 14:29:27 -06:00
Todd C. Miller
e11f32fd42 On AIX use the value of auth_type in /etc/security/login.cfg to 
determine whether to use LAM or PAM unless the user specified the
--with-pam or --with-aixauth configure flags.
 2015-02-23 11:12:43 -07:00
Todd C. Miller
59ab26dbcc Go back to a 2 args debug_decl and just use the "default" instance, 
now renamed "active".
 2015-02-01 08:24:49 -07:00
Todd C. Miller
e9914a91b1 The sudoers plugin now defines its own list of debugging subsystem names 
and defines.
 2014-10-22 13:30:52 -06:00
Todd C. Miller
866cfc4fc3 Add support for multiple Debug lines per program. Callers may 
register arbitrary debug facilities or use built-in defaults.  We
now use separate Debug statements for plugins and programs.
 2014-10-22 13:23:05 -06:00
Todd C. Miller
b7444e0f83 Simplify how we count the password tries 2014-09-27 10:17:21 -06:00
Todd C. Miller
355834c76a Block SIGINT and SIGQUIT while verifying passwords so that 
authentication modules that use sleep() are not interrupted.
If the user interrupted authentication, exit the loop.
 2014-09-27 10:16:31 -06:00
Todd C. Miller
d28c525ede If all authentication methods fail init/setup, fail with an error. 2014-09-26 20:55:19 -06:00